1. Technical Field
The present invention relates to a communication system including a communication device that is verified an identify by an authentication device with electronically signed public key certificate.
2. Description of Related Art
Recently, as network communication use have expanded drastically, it is critical to ensure the security in communication. Electronic signature and electronic authentication based on the technology of the public key infrastructure (PKI) have been widely used.
Electronic signature using public key method is generated by encrypting a hash value object data using a private key, so a public key corresponding to the private key is necessary to verify the electronic signature. Because the public key itself does not contain information of the key holder, a reliable third-party issues a public key certificate which attests that the public key contained in the certificate belongs to the person noted in the certificate. Here, the reliable third-party that issues a certificate is called a certificate authority (CA).
For example, a communication system that is configured so that IP address and public key certificate of a host which is a communication device in a LAN are frequently changed (for each communication partner, for each session, or for each communication packet transmission) is disclosed in Japanese Patent Application Provisional Publication No. P2004-7512A. In the communication system, a CA that issues a public key certificate is set as a node in the LAN, and host user name, password and public key are register in the CA. When the CA is requested by the host to issue a public key certificate, by verifying the host based on information registered in the CA, host spoofing is prevented.
In a communication device of which an identity is verified with a public key certificate electronically signed by CA, if validity period of a public key certificate expires or the public key certificate cannot be used because content to be verified (for example, IP address or host name that is identification information of the key holder) is changed, it is necessary to request the CA to re-issue the public key certificate. However, because public key certificate of the communication device is already revoked, there is a problem that complicated process is necessary to make the CA verify the communication device (similar process of request for issue of a new public key certificate)
If the system is configured so that user name, password and public key of the communication device are registered in the CA as described in Japanese Patent Application Provisional Publication No. P2004-7512A, it is possible to make the CA attest the communication device after a public key certificate is revoked. However, in such a system, a particularly configured CA that attest the host based on information of the user name, etc., should be used, and the information of the user name, etc. are registered in the CA beforehand. Such a system does not allow convenience to a user.